Threat Emulation Exposes Widespread Malware Campaign

Summary

On October 24, 2013, the Check Point ThreatCloud Emulation Service received six PDF document files from a European Union official agency running a Check Point threat prevention gateway. Automated analysis in the Threat Emulation sandbox determined that these documents exploited an Adobe Reader vulnerability, and additional research revealed that these files were delivered via a dynamic URL scheme and were, at the time, detected by only 8% of antivirus solutions. The result was a potentially powerful targeted attack tool that would have evaded many other vendors’ defenses.

After we added detections to ThreatCloud, where they became available to Check Point threat prevention gateway customers worldwide, these gateways reported the detection and blocking of 500 more instances of this attack around the world over the next five days. Information from these events revealed that the attacks appear to be part of a widespread campaign that touches over 140 Web domains. The campaign uses this exploit to deliver the well-known NuclearPack kit to victims in the target organizations.

Read on for more details about this campaign, plus additional recommendations about measures customers and security decision-makers should take to protect themselves against this campaign.

Detailed Analysis

Observation of a malicious document arriving to an organization

On October 24th, Check Point’s ThreatCloud Emulation Cloud Service detected a few malicious documents arriving at several organizations, including a European-Union official agency. Seven users at this agency clicked a link that led them to download and view a PDF document.

Analysis by Check Point security researchers revealed that the campaign authors had engineered the infecting URL to avoid static detection by antivirus and resist analysis by security vendors through the use of a dynamic URL scheme which spans multiple domains and IP addresses. Through this technique, each user was led to a different URL; however, all URLs used a similar format, as seen in the following examples:

(Portions of each URL are hidden for your protection and due to ongoing research)

Check Point security researchers performed further analysis in order to uncover, from the few specific samples that we had, additional malicious domains participating in this attack.

Further analysis of malicious documents

Because the affected organization is using the Check Point ThreatCloud Emulation Service, all potentially malicious incoming documents are sent to the Emulation Service for sandboxing and analysis. During emulation, abnormal behavior was detected:

The PDF document exploits a variant of a known vulnerability (CVE-2010-0188) of Adobe PDF Reader

The document then initiates a network communication to the same URL, from which the document was downloaded

This network connection attempts to download a malicious payload and run it on the end-user device. (The malicious payload can be any program as driven by the campaign, e.g. malware to steal user credentials, accounts, etc.)

More importantly, observing these samples at VirusTotal reveals show a low (<10%) detection rate: only 4 out of 46 available antivirus vendors were capable of detecting this malware at the original time of submission.

Example MD5s of documents that were downloaded by the end-users

837f58ade3fd6e24854ee480d6407a00

7b50e50321f79fde5bab15471a04cffb

Leveraging ThreatCloud to discover the extent of this malware campaign

Our analysis of this targeted attack enabled the creation of a generic anti-malware signature that does not contain a specific domain name, but is rather based on different properties observed in the URL generation algorithm.This signature was distributed via ThreatCloud to Check Point security gateways around the world and allowed collection of additional domains related to this campaign.

In the five days from detection on the 24th through October 29th, more than 500 events were observed from additional organizations around the world, which communicated with more than 140 unique domains that meet the dynamic signature.

Check Point security researchers have determined that this campaign is using the “NuclearPack” Exploit Kit. While the attackers’ dynamic URL technique is a powerful mechanism for distributing malware, ThreatCloud and Threat Emulation enabled us to activate threat prevention measures that provide Check Point customers with immediate protection against this type of attack.

Protecting your organization from this attack

All Organizations

Ensure that end-user systems are running the latest version of Adobe Reader. The samples we have observed so far exploit a known vulnerability in Adobe reader version 9.3, later Adobe reader versions are not vulnerable to these files.

Check Point Customers

Check Point customers who have activated the Anti-Bot and Anti-Virus blades are protected from this targeted campaign. No additional configuration is needed.

Non-Check Point Customers

Apply filtering rules to block URL requests to these domains. Note that this list is continuously growing as new domains are discovered. (See Appendix below)